Bret Comnes

@tekbog hand whittled

mfers will start selling “home made code” soon

@matteocollina Starting to think this might be a drawback

What makes JavaScript so interesting as a platform to build libraries and tools is its pervasiveness. Every application contains some JS. Every developer needs to know some JS. Building developer tools for the masses has been one of my life goals.

@tomwarren Still no gyro ?

Leaked images reveal Microsoft's new Xbox Elite 3 controller. The Elite 3 controller appears to have new scroll wheel buttons, a removable battery, and a new cloud mode button. Full details 👇theverge.com/news/930902/mi…

🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: •Fingerprints the host (OS, arch, hostname, uname) •Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) •Dumps the entire process.env, capturing every CI secret and cloud credential in memory •Builds a gzip archive in a temp directory •Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: •Do not install 9.1.6, 9.2.3, or 12.0.1 •Audit your lockfiles for these versions •If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. •Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs •Check for temp files matching /nt-/.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog: socket.dev/blog/node-ipc-…

@darcy People can't keep auth tokens safe, how are they expected to keep signing tokens safe?! The keeping the credentials safe is the problem needing a solution, but they keep hiding the keys under the doormat.

@bcomnes Because they were told it would.

@darcy Real lore

ngl I was hoping tsgo would be faster

@zeddotdev Good compromise thank you

Your Claude subscription still works in the terminal. And next week we're shipping Terminal Threads to Stable so terminal agents appear in the new Sidebar alongside your native agent threads.

Anthropic's Claude billing changes hit June 15. We wrote up what it means for Zed users and what your options are: zed.dev/blog/anthropic…

There's this sub-niche group of people in tech twitter with anon handles and often a cartoon pfp, nothing of substance to show for their own opinions, that love to come in and make the most low iq replies about languages or frameworks and man I wish I could just block them all

The latest npm security incident has a slightly different shape but would still have been mitigated by what I suggested back in January. humanwhocodes.com/blog/2026/01/h…

@MMarcgg3 @heyandras Are they reselling accounts?

@bcomnes @heyandras And GitHub metrics padding

We made a fake repo with fake bounties, and the bots are applying fake PRs, so we know who is fake, and we can ban them from the Coolify repo. IQ over 1000

@HotAisle @feross It’s not just the bottom quartile getting it wrong. The ecosystem shouldn’t have to navigate this every other week.

@HotAisle @feross It’s not being used correctly and it’s causing $$$$ in damages

pull_request_target strikes again. GitHub aught to remove this feature and re-introduce it with better security.

Please everyone use Socket Firewall and set your package managers minimum release age. All node package managers as far as I found support this; set it to 7 days. This would mitigate most of your risks

@evanplaice Agree people collapsed this too far

@bcomnes Not semver, semantic-version. The reason you see repos with everything named like feat() or chore(). PRs and commits titles are read to indicate what type of release it should be. Which means no separation of pr/push vs release.

I'm 100% vindicated on slow walking attestation on my projects.

@ryanvogel Don't use pull_request_target. Disable install scripts. Enable cooldown.

This stuff is getting more and more common every day, is there any guide or tutorial that shows how to properly secure a github account/repo/org/etc?

@DavidWells This is the biggest thing you can do. Cooldowns are okay I guess but this is the vector that drives all of this.

@DavidWells This is the biggest gain possible now.

NPM should do a breaking change where users have to opt-in to postinstall scripts It will be annoying for certain users cases but 1000% safer